Wednesday, September 5, 2018

Indonesian Spam Communities

In our last post we tried to shed some light at what seemed to appear as a very
common PayPal phishing email at first glance, but evidently turned out to be connected to a quite larger and more unique campaign the deeper we looked at. When we investigated that single email, we were actually able to discover a wide ranging spam group originating
from Indonesia which looked to be responsible for the phishing activity we originally saw. Through that seemingly common PayPal phishing email, we found out that an Indonesian
group was targeting various well-known companies’ customer base by mass sending
phishing emails via uniquely identifiable Twitter shortened URL redirections.

They have done so with
great success, as we demonstrated by showing you some of the attacker’s self-shared
screenshots of incoming victim credit card information. And we last left off by identifying some additional Twitter handles
spreading phishing links and hunting some more connected infrastructure to that
specific campaign.

Since our last update on the matter,
we’ve continued to monitor this group’s activity, passing along our findings to
relevant parties. However, in the process of studying this group, we’ve also discovered
a secondary set of the Indonesian spamming community in addition to the already
identified SlackerC0de and Spammer ID from our previous post. This secondary group uses a set of slightly
different tools and techniques, but stays true to the identical core of collective
financial scamming efforts which we've previously written about.

SendInboxWhile we were looking at what the Spammer ID guys were doing in their group, we saw that they began discussing an additional mailing tool they were using called "Sendinbox". Up to this point we saw that they were mainly sharing their use of mailing tools like "heart sender" and "GX40 sender". We've also seen the Spammer ID group try and use XAMPP with sendmail from their localhost relaying through SlackerC0de infrastructure. They used these methods along with web based tools on their group websites like the ones we saw them make available on tool[.]slackerc0de[.]us. When we took a look at what "Sendinbox" was - we saw that it was a PHP tool based on the popular PHPMailer library. After we started going through the group's chat we witnessed them discuss how they're setting this tool through their shared group servers mainly using Apple and PayPal phishing letters as their payload.

As you can see from the above screenshots, the 'Sendinbox' tool lets the attacker send a set of many emails at once with a preconfigured scam message through mail relay servers. In this example an attacker is testing if his emails are being received as regular inbox mails or filtered as spam to his own Yahoo account. We kept seeing this type of "QA" process being taken by the different stages of server changes by the attackers.

BMarket ID"Sendinbox" is made by an "Eka Syahwan" who runs a separate community of groups to Spammer ID on various social platforms. The main purpose for this being to provide support for his user base to whom he sold his mailer tool. A happy customer in this case brings in more potential buyers. The main website for this community - Bmarket[.]or[.]id also hosts a relay server for email campaigns hxxp://bmarket[.]or[.]id/sendinbox-server[.]phpA close knit user base such as this offers the potential scammer support for his phishing campaigns, the tool creator provides updates to the tool and workarounds to potential service blocks. Which kept amounting the more we looked at their group correspondence. Group members complained that the provided email servers were not mailing their scams successfully or that they're going to spam folders. So we witnessed a heavy shift from the recognized servers like bmarket[.]or[.]id to group members actively looking for compromised servers to relay their emails.

Group members such at the one above started looking for compromised servers to upload their sendinbox tool for future campaign use and shared them with the group. Once they've gained their successful hold on a compromised website, they uploaded their SendInbox email tool as can be seen below.

Other members also shared their use of vulnerability scanning tools to hunt for potential servers in the group chat.

Along with the proactive hunting these group members were conducting, they were monitoring another website belonging to the "Sendinbox" tool creator called IndoXploit which listed additional compromised servers for them to use in their phishing campaigns.

Eka Syahwan even lists this fact on his personal Facebook profile, along with regular updates to his scamming activity, as we can see in his most recent warning post about some rippers that recently tried to do business with him on Telegram:

Since this is a smaller community with a tendency to share their success and failures a little bit more than Spammer ID - it made it easier for us to track what they were doing in their campaigns. And this group was definitely busy - we've seen them successfully harvest many CC records via targeted email lists, ranging from alphabetically ordered emails to emails from specific sectors like large educational institutions in the US.

An email list an attacker has prepared to massively spam his phishing letters. This list is alphabetically ordered Yahoo accounts which were already validated as Apple users.

We've witnessed this group target specific sectors or user base, such as in the below example of them targeting specifically Japanese users from IT provider Softbank Japan:

This group is also sophisticated enough to socially engineer the appropriate letters for a geographically and linguistic group like these Japanese Apple users as we picked them testing out various Japanese templates, how they're received in a Japanese Yahoo, and bouncing if possible off Japanese accounts.

Successfully harvested credentials received in an attacker's email.

We only were able to look at the shared incoming credentials in the group chats, which amounted to hundreds of victims by our count. If we were to combine the credentials which weren't being shared it probably would make the true number of their victims much higher than that.

ConclusionsTraditional phishing hunting operations tend to rely on certificate and brandname watching. This tactic offers to usually be quite successful since phishing domains don't tend to have a lifespan larger than a day or two, and if by any chance the phishing page wasn't hunted, it at least is usually reported as fake by wary users. The threat that closed scamming communities such as BMarket poses is the advantage of crowdsourcing their setbacks and problems. While a single and lone scammer might quit after being unsuccessful in his attack, a strong base of experienced users, and in this case a tool creator looking to satisfy his clients will immediately fix what is being broken or detected by phish domain watchers. It also offers some confidentiality to their operations. A small group such as this is harder to track when it doesn't make much noise beyond their chat platforms. While some of their phishing domains are quickly identified, when looking at their operations - we saw that a lot of Apple and PayPal customers still fell victim to their ploy. We also think this is due to this group's heavy use of shortened and redirected links.In the grander scheme of the cybercrime landscape, it seems that relying on passive hunting may not replace actively tracking and infiltrating cybercrime groups to successfully mitigate some parts of phishing activity such as this.

IOCs

Twitter handles connected to this group:https://twitter.com/belajargila3https://twitter.com/nawalbelhhttps://twitter.com/johanes95826552https://twitter.com/jancoek14https://twitter.com/rohmatizudhttps://twitter.com/Ongki54705384https://twitter.com/test19259665https://twitter.com/wibowoandy14https://twitter.com/baringinasidohttps://twitter.com/PnatekMhttps://twitter.com/bambangkouhttps://twitter.com/Bajungan1https://twitter.com/dzakialvriano1https://twitter.com/bastian55115067https://twitter.com/pea_sanghttps://twitter.com/yusupmuhammad23https://twitter.com/akibernadhttps://twitter.com/XCrow8https://twitter.com/backes_oswaldhttps://twitter.com/kontolkleanhttps://twitter.com/AHarsakti

61.19.251.44231.100.76.3237.59.28.2445.64.1.5843.250.250.6250.87.249.8079.124.76.9595.142.80.3103.15.226.230103.247.11.50104.20.155.77104.238.117.234108.167.180.222162.241.230.74162.241.217.60186.202.153.58173.236.169.164182.70.240.119192.95.11.64192.163.208.222132.148.154.122205.178.189.131202.70.136.137204.197.252.169217.182.113.29Compromised Websites Shared By the Group:countdown-showband[.]de//images/jsspwneed.pnghttp://www.adslaminar[.]com//images/jdownloads/screenshots/jsspwned.pnghttp://www.psp2.radom[.]pl//images/jdownloads/screenshots/jsspwned.pnghttp://www.argonrostov[.]ru//images/jsspwneed.phphttp://www.oplus-conseil[.]fr//images/jsspwneed.phphttp://china.lanfa.com[.]tw//images/jsspwneed.phphttp://www.emgiasa[.]es//images/jsspwneed.phphttp://www.oplus-conseil[.]fr//images/jsspwneed.phphttp://china.lanfa.com[.]tw//images/jsspwneed.phphttp://www.emgiasa[.]es//images/jsspwneed.phphttp://www.gammi-ltd[.]ru//images/jsspwneed.phphttp://focusmobi.com[.]br//wp-content/plugins/revslider/temp/update_extract/revslider/jsspwned.phphttp://syaden[.]net//images/jdownloads/screenshots/jsspwned.pnghttp://vanguardacademy-ng[.]com//sites/default/files/jsspwnx.phpmail.kingacreative[.]com|info@kingacreative.com|123123http://www.aytobareyo[.]org/sites/default/files/jsspwnx.phphttp://www.technikus[.]pl//images/jsspwneed.phphttp://devsaad[.]com/sites/default/files/jsspwnx.phphttp://certusprocess[.]com//images/jsspwned.phphttp://www.limontech[.]pl//images/jsspwneed.phphttp://gemilangasia[.]com//wp-content/plugins/revslider/temp/update_extract/revslider/jsspwned.phphttp://www.colegioserecrescer.com.br//wp-content/plugins/cherry-plugin/admin/import-export/jsspwned.phphttp://www.jardimexpress.com[.]br//wp-content/plugins/cherry-plugin/admin/import-export/jsspwned.phphttp://vykopatkolodec[.]ru//wp-content/themes/Avada/framework/plugins/revslider/temp/update_extract/revslider/jsspwned.php*Currently unconfirmed if being used by the group.